Vulnerability in Oracle Access Manager exploited to bypass authentication and control the account of any user

Wolfgang Ettlinger of SEC Consult Vulnerability Lab, information security expert, found vulnerability in Oracle Access Manager that can be exploited remotely to bypass authentication and take over the account of any user or administrator on the affected systems.

Professionals tell us that Oracle Access Management provides Web SSO with MFA, general authorization and session management, and standard SAML Federation and OAuth capabilities to allow secure access to mobile applications and the cloud.

The vulnerability, CVE-2018-2879, relates a defective cryptographic format used by Oracle Access Manager.

“Small peculiarities of the cryptographic implementation had a real impact on the security of the product. When this vulnerability was exploited, arbitrary authentication tokens could be manufactured, which allowed us to supplant any user and break the main functionality of OAM”.

An attacker can exploit vulnerability by the way OAM handles encrypted messages to trick the software and accidentally discloses information that can be used to log in as other users, Ettlinger explained.

An attacker can make a fill oracle attack to disclose the authorization cookie of an account; it can generate a script to create valid login keys for any desired user, including administrators.

“During an investigation, we found that a cryptographic format used by the OAM exhibits a serious flaw. When exploiting this vulnerability, we were able to create a session token. When a WebGate is presented with this token, it would accept it as a legitimate form of authentication and allow access to protected resources, “explained the information security professional.

“On the other hand, the process of creating session cookies allows us to create a session cookie for an arbitrary user name, which allows us to impersonate any user.”

The versions of Oracle Access Management that were affected by the vulnerability are; 11g and 12c. The professionals used a simple Google Dork to find more than 11,800 OAM facilities, some belonging to high-profile organizations, including Oracle. It is important to consider that there are many other facilities that are not accessible from the Internet.

Information security researchers responsibly revealed this flaw to Oracle at the end of 2017. This addressed the vulnerability with the last update of critical patches in April.